Intelligent event collection for cloud-based malware detection

ABSTRACT

An anti-malware application detects and remediates malware. The anti-malware application detects an event associated with a process and determines if the event matches an entry in an exclusions list. If the event is absent from the exclusions list, the anti-malware application monitors the operation of the process, logs the event data in an event log, and sends the event to a server to determine whether the process corresponds to malware. The anti-malware application updates the exclusions list based on the logged event if the process does not correspond to malware. The anti-malware application restores a file edited by the process to the saved copy of the original file prior to the file being edited by the process if the process corresponds to malware.

FIELD OF ART

The present disclosure generally relates to malware detection andremediation and more specifically to identifying relevant data for moreefficient malware detection and remediation.

BACKGROUND

Malware is malicious software that can damage or lock computer files.There is no guarantee that victims of malware can regain access and canbe subject to multiple attacks if they are not protected. Therefore itwould be desirable to detect and stop malware.

SUMMARY

A method filters events based on an exclusions list for more efficientdetection and remediation of malware. The method updates the exclusionslist based on previously logged events that do not correspond tomalware. A processor detects an event associated with a processperforming an operation on a file. The processor determines if the eventmatches an entry in an exclusions list. Responsive to determining thatthe event is absent from the exclusions list, the processor monitors theoperation of the process, the processor logs the event data associatedwith the process in an event log, and sends the event associated withthe process to a server. Responsive to a processor detecting the openingof an original file by the process for editing, the processor saves acopy of the original file prior to the original file being edited by theprocess. The processor receives from the server an indication of whetherthe process corresponds to ransomware. Responsive to receiving anindication that the process does not correspond to ransomware, theprocessor updates the exclusions list based on the logged event.Responsive to receiving an indication that the process corresponds toransomware, the processor restores a file edited by the process to thesaved copy of the original file prior to the file being edited by theprocess.

In another embodiment, a non-transitory computer-readable storage mediumstores instructions that when executed by a processor causes theprocessor to execute the above-described method.

In yet another embodiment, a computer system includes a processor and anon-transitory computer-readable storage medium that stores instructionsfor executing the above-described method.

BRIEF DESCRIPTION OF THE DRAWINGS

The Figures (FIGS.) and the following description relate to preferredembodiments by way of illustration only. It should be noted that fromthe following discussion, alternative embodiments of the structures andmethods disclosed herein will be readily recognized as viablealternatives that may be employed without departing from the principlesof what is claimed.

FIG. 1 is a system diagram illustrating an example embodiment of anenvironment in which an endpoint agent executes.

FIG. 2 is a block diagram illustrating an example embodiment of anendpoint agent of the anti-malware application.

FIG. 3 is a flowchart illustrating an embodiment of a learning processfor filtering events for malware detection.

FIG. 4 is a flowchart illustrating an embodiment of a roll-back processfor restoring files edited by malware.

DETAILED DESCRIPTION

Reference will now be made in detail to several embodiments, examples ofwhich are illustrated in the accompanying figures. It is noted thatwherever practicable similar or like reference numbers may be used inthe figures and may indicate similar or like functionality. The figuresdepict embodiments of the disclosed system (or method) for purposes ofillustration only. One skilled in the art will readily recognize fromthe following description that alternative embodiments of the structuresand methods illustrated herein may be employed without departing fromthe principles described herein.

An endpoint agent applies a learning process to learn trusted events.The endpoint agent logs event data to an event log and sends the eventdata to a server if they do not match events on an exclusions list oftrusted events. The server receives the event data sent from theendpoint agent, applies analysis to detect malware, and provides malwaredetection information to the endpoint agent. If malware is not detected,the endpoint agent can update the exclusions list based on thepreviously logged events that the server determined to be unrelated tomalware. The endpoint agent can also save copies of original files priorto being edited by a process if the editing operation does not match anevent on the exclusions list. In response to a malware attack, the logof untrusted events and the saved copies can be used to roll backchanges made by the malware attack by restoring copies of originalfiles.

FIG. 1 is a high-level block diagram illustrating a system environment100 for an endpoint agent. The system environment 100 comprises a server105, a network 110, and various clients 120A, 120B, 120C (collectivelyreferenced herein as clients 120). For simplicity and clarity, only oneserver 105 and a limited number of clients 120 are shown; however, otherembodiments may include different numbers of servers 105 and clients120. Furthermore, the system environment 100 may include different oradditional entities.

The server 105 is a computer system configured to store, receive, andtransmit data to client devices 120 via the network 110. The server 105may include a singular computing system, such as a single computer, or anetwork of computing systems, such as a data center or a distributedcomputing system. The server 105 receives event data from the clientdevice 120 and detects whether or not a process executing on a client120 corresponds to malware based on the received event data. Event datais data associated with an event. An event is an operation performed bya process on a file. Event data may include information to identify theprocess performing the event, information to identify the file beingoperated on, and information identifying the type of operation beingperformed.

In one embodiment, the server 105 includes a malware detection module106. The malware detection module 106 analyzes the received event datato determine whether a process corresponds to malware, which may includeransomware as well as other types of malware. The malware detectionmodule 106 determines the process is malware based on behaviorsindicative of malware. Examples of behaviors indicative of malwareinclude the following: deleting files, injecting code from one processinto another process, modifying or creating cryptographic keys inregistry locations, accessing restricted locations of the operatingsystem 134, and deleting a system recovery file. Other factors such asthe process performing encryption of a file, the number of filesencrypted by the process within a time window, and the age of theprocess may be used in determining if the process is malware. If theserver 105 detects a pattern of events indicative of malware, the server105 sends an indication to the client 120 identifying the processes,files, and events relating to the detection.

The network 110 represents the communication pathways between the server105 and clients 120. In one embodiment, the network 110 is the Internet.The network 110 can also utilize dedicated or private communicationslinks that are not necessarily part of the Internet. In one embodiment,the network 110 uses standard communications technologies and/orprotocols. Thus, the network 110 can include links using technologiessuch as Ethernet, Wi-Fi (802.11), integrated services digital network(ISDN), digital subscriber line (DSL), asynchronous transfer mode (ATM),etc. Similarly, the networking protocols used on the network 110 caninclude multiprotocol label switching (MPLS), the transmission controlprotocol/Internet protocol (TCP/IP), the hypertext transport protocol(HTTP), the simple mail transfer protocol (SMTP), the file transferprotocol (FTP), etc. In one embodiment, at least some of the links usemobile networking technologies, including general packet radio service(GPRS), enhanced data GSM environment (EDGE), long term evolution (LTE),code division multiple access 2000 (CDMA2000), and/or wide-band CDMA(WCDMA). The data exchanged over the network 110 can be representedusing technologies and/or formats including the hypertext markuplanguage (HTML), the extensible markup language (XML), the wirelessaccess protocol (WAP), the short message service (SMS) etc. In addition,all or some of the links can be encrypted using conventional encryptiontechnologies such as the secure sockets layer (SSL), Secure HTTP and/orvirtual private networks (VPNs). In another embodiment, the entities canuse custom and/or dedicated data communications technologies instead of,or in addition to, the ones described above.

Each client 120 comprises one or more computing devices capable ofprocessing data as well as transmitting and receiving data via a network110. For example, a client device 120 may be a desktop computer, alaptop computer, a smart phone, a tablet computing device, an Internetof Things (IoT) device, or any other device having computing and datacommunication capabilities. Each client 120 includes a processor 125 formanipulating and processing data, and a storage medium 130 for storingdata and program instructions associated with various applications. Thestorage medium 130 may include both volatile memory (e.g., random accessmemory) and non-volatile storage memory such as hard disks, flashmemory, flash drives, external memory storage devices, USB drives, discsand the like. In addition to storing program instructions, the storagemedium 130 stores various data associated with operation of theoperating system 134, the anti-malware application 136, and userapplications 132.

In one embodiment, the storage medium 130 comprises a non-transitorycomputer-readable storage medium. Various executable programs (e.g., theoperating system 134, anti-malware application 136, and userapplications 132) are each embodied as computer-executable instructionsstored to the non-transitory computer-readable storage medium. Theinstructions, when executed by the processor 125, cause the client 120to perform the functions attributed to the programs described herein.

The operating system 134 is a specialized program that manages computerhardware resources of the client 120 and provides common services to theuser applications 132. For example, a computer's operating system 134may manage the processor 125, storage medium 130, or other componentsnot illustrated such as, for example, a graphics adapter, an audioadapter, network connections, disc drives, and USB slots. A cell phone'soperating system 134 may manage the processor 125, storage medium 130,display screen, key pad, dialer, wireless network connections and thelike. Because many programs and executing processes compete for thelimited resources provided by the processor 125, the operating system134 may manage the processor bandwidth and timing to each requestingprocess. Examples of operating systems 134 include WINDOWS, MAC OS, IOS,LINUX, UBUNTU, UNIX, and ANDROID.

The user applications 132 may include applications for performing aparticular set of functions, tasks, or activities for the benefit of theuser. Examples of user applications 132 may include a word processor, aspreadsheet application, and a web browser. In some cases, a userapplication 132 can be a source of malware that is unknowingly hidden inthe user application 132. The malware may infect the client 120 when theuser application 132 is installed.

An anti-malware application 136 detects and remediates malware, whichmay include ransomware as well as other types of malware. Theanti-malware application 136 may prevent new malware from beinginstalled on a client 120 or remove or disable existing malware that isalready present on the client 120. The anti-malware application 136 mayfurthermore access a central server via the network 110 in order todownload new malware definition files that specify characteristics orbehaviors of known malware that the anti-malware application 136 seeksto detect.

The anti-malware application 136 includes an endpoint agent 138 that isconfigured to monitor and filter events for detection and remediation ofmalware. The endpoint agent 138 remediates malware when a detection istriggered. The endpoint agent 138 may roll back modified files to anearlier version (prior to a file being edited by a malware process) toundo damage from malware. The endpoint agent 138 may perform other typesof remediation such as terminating the process and quarantining thesource file. Quarantining the file isolates the source so that it is nolonger capable of affecting operation of the client 120. Quarantiningmay include deleting the source file or moving it to a special area ofmemory. The endpoint agent 138 is described in further detail below.

FIG. 2 illustrates an example embodiment of an endpoint agent 138. Theendpoint agent 138 includes a monitoring module 202 having a filtermodule 204, a reporter module 206, a learning module 208, a backupmodule 210, a restore module 212, a log storage 220, and an exclusionstorage 230. Alternative embodiments may include different or additionalmodules or omit one or more of the illustrated modules.

The monitoring module 202 detects events associated with a processperforming an operation on a file and stores information associated withuntrusted events (event data) to log storage 220. A process is aninstance of a computer program or component thereof (e.g., a userapplication 132 or operating system 134) that is being executed. Eventsmay be filesystem, memory, or network activities. Filesystem activitiescorrespond to actions such as creating files, deleting files, openingfiles for editing, writing to files, saving and closing files, or movingfiles. Memory activities may include operations of threads andprocesses, code injections, or user account control (UAC) elevation.Network activities may include transmission or receipt of TCP/UDPtraffic, execution of a local DNS resolver, or connecting to aparticular IP address or domain. The monitoring module 202 includes afilter module 204 for identifying untrusted events to be used indetection of malware. Once untrusted events are identified, themonitoring module 202 saves (logs) event data of the untrusted events tolog storage 220. By logging only event data of untrusted events and notall detected events, the amount of information stored to log storage 220can be reduced.

The filter module 204 determines whether a detected event matches anentry on an exclusions list. The exclusions list is stored in exclusionstorage 230. An exclusions list is a set of entries that each specify aspecific filtering parameter or combination of filtering parameters. Thefiltering parameters can identify event types based on processes, filecharacteristics, or combinations thereof. A filtering parameteridentifying a process can be a process identifier (ID) or a location(e.g., directory) of an executable. A filtering parameter to identify afile characteristic can be a type of file (e.g., file extension), alocation of a file (e.g., a directory or file path), or a combinationthereof. If an entry on the exclusions list identifies a trusted processwithout further parameters, the filter module 204 operates to filter allevents associated with the process including events associated withthreads of the process. If an entry identifies a file characteristicwithout further parameters, the filter module 204 operates to filter allevents by any process operating on a file having the specified filecharacteristics (e.g., operations on a particular specified type offile, operations on files stored to a particular specified filelocation, or a combination thereof). If an entry identifies both aprocess and a file characteristic (e.g., a file type, location, orcombination thereof), the filter module 204 operates to filter all eventcorresponding to an action by the identified process on a file havingthe identified file characteristic.

The filter module 204 filters detected events that match entries in theexclusions list by excluding these events from being logged and reportedto the server 105. If a detected event matches an entry on an exclusionslist, it can be excluded from being monitored because the event is notindicative of malware. Such events are referred to herein as “trustedevents.” If a detected event does not match an event on an exclusionslist, it is monitored by the monitoring module 202 and may be stored tolog storage 220 and reported to the server 105 to determine if it couldbe indicative of malware. Such events are referred to herein as“untrusted events.”

The reporter module 206 sends reports of untrusted events to the server105 for detection of malware, and receives indications of malwaredetection from the server 105 in response to the reports. The reportermodule 206 may send a single report including event data for individualuntrusted events in real-time as events occur. Alternatively, thereporter module 206 may aggregate event data over a fixed period of timeor over a number of untrusted events occurring, and send a report of abatch of event data to the server 105 for a plurality of events. Thereporter module 206 also receives indications of malware detection inresponse to the report. By sending only the untrusted events to a server105, the amount of information sent to the server 105 for malwaredetection can be reduced, thereby improving performance and bandwidth ofboth the endpoint agent 138 and the server 105.

The exclusions storage 230 stores the exclusions list. Initially, theexclusions list can include hardcoded exclusions that are manuallypredefined. These hardcoded exclusions can include entries for knownsystem events that are associated with operating system activities andevents associated with other known trusted processes and/or files thatare not associated with malware. The exclusions list may be updated overtime as new trusted events are learned by the learning module 208described below. The entries on an exclusions list may includeexclusions of particular processes, exclusions associated withparticular file characteristics, and exclusions of a combination ofprocesses and file characteristic.

The learning module 208 updates the exclusions list based on loggedevent data for previously untrusted events that are subsequentlydetermined to not correspond to malware. The learning module 208identifies exclusions by finding patterns in the logged event data thatdo not correspond to malware. For a set of logged events occurringduring a time period when no malware was detected, the learning module208 identifies respective counts of different event types that eachcorrespond to unique combinations of a process and file characteristic.For example, the learning module 208 may count the number of eventscorresponding to a particular process executing on a file of aparticular file type (e.g., a WINWORD process executing on a .docx file)or a particular process executing on a file in a particular filelocation (e.g., a EXCEL process executing on a file in a “Sheets”directory). When a counter for a particular event type exceeds athreshold value, the event type can be added as an entry to theexclusions list as an entry specifying the process and the filecharacteristic associated with the event type.

In some cases, the learning module 208 may make exceptions in which itskips adding a particular event type to the exclusions list even if acount for the event type exceeds a threshold value. For example, if aprocess associated with the event type is observed to be performingsuspicious activity, the event type may be omitted from the exclusionslist.

The learning module 208 may be configured to update the exclusions listperiodically according to a first time period (e.g., every 24 hours). Ineach update, the learning module 208 may learn new exclusions from a setof the logged events in log storage that occurred over a second timeperiod (e.g., a 48 hour window). The first period of time may be shorterthan the second period of time so that each event may contribute tomultiple different updates. The second period of time may correspond toan amount of time logged events are saved in log storage 220 beforebeing purged or overwritten. Over a first period of time, the server 105may indicate to the endpoint agent 138 that no malware was detected forsome of the reported events (also logged to log storage 220). Once thefirst period of time has passed, the learning module 208 updates theexclusions list by processing the logged events occurring during thelast second period of time that did not correspond to malware.

In some embodiments, the learning module 208 may use information fromendpoint agents of other clients to update an exclusions list. Forexample, in some cases the server 105 may determine that differentclients (e.g., 120A and 120C) have common patterns in reported eventsand share information (e.g., exclusions list) between endpoint agents138 of the different clients. For example, if a client 120A reportsevents that are similar to events previously reported by client 120C,client 120A may more efficiently update its exclusions list by using apreviously updated exclusions list of client 120C. The server 105 mayidentify common patterns in reported information between clients 120 andshare information between different endpoint agents 138 of the clients120 to more efficiently update an exclusions list.

The backup module 210 saves a copy of an original file prior to the filebeing edited by an untrusted process. The backup module 210 receives anotification from the monitoring module 202 indicating a file has beenopened for editing by an untrusted process that is not on an exclusionslist. Responsive to receiving the notification, the backup module 210saves a copy of the original file prior to the file being edited by themonitored process to log storage 220.

In some embodiments, the backup module 210 may be configured to invokecertain exceptions so that it does not save a copy of the original filewhen certain predefined conditions occur. For example, the backup module210 does not save a copy of the original file when it determines that asize of the original file meets or exceeds a threshold backup file size.In another example, the backup module does not save a copy of theoriginal file when it determines that the monitored process created theoriginal file. Saved copies of original files are kept for a specifiedtime (e.g., 48 hours). Rollback is supported by the specified time(e.g., a client 120 can roll back modification to files up to 48 hoursafter a malware event is detected).

The restore module 212 restores a file to a saved copy of the originalfile when the changes to the file were determined to be caused bymalware. The restore module 212 may receive a notification from theserver 105 indicating that a process corresponds to malware. The restoremodule 212 may identify files for rollback by identifying logged eventsin log storage 220 associated with the process to determine which filesthe process modified. The restore module 212 then rolls back theidentified files edited by the process (e.g., restore saved copies ofthe original file prior to being modified by the process).Alternatively, the restore module 212 may receive instructions from theserver 105 to roll back files edited by a process corresponding tomalware, and the restore module 212 can restore the files to the savedcopy of the original file prior to the file being edited by the processcorresponding to malware. In one embodiment, the restore module 212 maypurge a portion of logged events in log storage 220 and only keep loggedevents relevant to rollback.

FIG. 3 is a flowchart illustrating an embodiment of a learning processfor filtering events analyzed for ransomware detection. The monitoringmodule 202 detects 302 an event associated with a process performing anoperation on a file. The filter module 204 determines 304 if the eventmatches an entry in an exclusions list. Responsive to determining thatthe event is absent from the exclusions list, the monitoring module 202logs 306 the event data in an event log (e.g., log storage 220), and thereporter module 206 sends the one or more events to a server 105. Theendpoint agent 138 receives 308, from the server 105 an indication ofwhether the process corresponds to malware. Responsive to receiving anindication that the process does not correspond to malware, the learningmodule 208 updates 310 the exclusions list based on the logged events.The learning module 208 may update the exclusions list after a firstpredetermined period of time by identifying exclusions in the loggedevents during a second predetermined period of time that do notcorrespond to malware. The learning module 208 may count a number oftimes logged event data of a particular process operates on a filehaving a particular characteristic such as a file type or a directory.Responsive to the counted number of logged events meeting or exceeding athreshold number of events, the learning module adds an entry to theexclusions list if the process does not exhibit known suspiciousbehavior associated with malware.

FIG. 4 is a flowchart illustrating an embodiment of a roll-back processfor restoring files edited by malware. The monitoring module 202 detects402 an event associated with a process performing an operation on afile. The filter module 204 determines 404 if the event matches an entryin an exclusions list. Responsive to determining that the event isabsent from the exclusions list, the monitoring module 202 monitors 406the operations of the process. Responsive to detecting an opening of anoriginal file by the process for editing, the backup module 210 saves408 a copy of the original file prior to the original file being editedby the process. For example, the monitoring module 202 may detectcertain application programming interface (API) calls from a processthat are associated with opening and modifying the file. The monitoringmodule 202 intercepts the API calls prior to the API call executing, andthe backup module 210 saves 408 the original file as a backup prior tothe file being edited by the process. The endpoint agent 138 receives410, from the server 105 after a first period of time, an indication ofwhether the process corresponds to malware. Responsive to receiving anindication that the process corresponds to malware, the restore module212 restores 412 a file edited by the process to the saved copy of theoriginal file prior to the file being edited by the process. The restoremodule 212 may identify files for rollback by using logged events in logstorage 220. In one embodiment, the restore module 212 may remove loggeddata that is not used for rollback purposes from log storage 220.

The above-described system and processes beneficially enables anefficient detection and remediation of malware. By logging and sendingonly untrusted events, the endpoint agent 138 efficiently stores andsends only event data associated with suspicious processes and not alldetected event data. By storing only files edited by suspiciousprocesses associated with untrusted events, a larger number and/or sizeof files can be stored for rollback purposes over conventional methodsof storing all modified files. By updating an exclusions list used forfiltering events, the endpoint agent 138 continuously improves on theefficiency of its detection and remediation of malware.

Additional Considerations

The foregoing description of the embodiments of the invention has beenpresented for the purpose of illustration; it is not intended to beexhaustive or to limit the invention to the precise forms disclosed.Persons skilled in the relevant art can appreciate that manymodifications and variations are possible in light of the abovedisclosure.

Some portions of this description describe the embodiments of theinvention in terms of algorithms and symbolic representations ofoperations on information. These algorithmic descriptions andrepresentations are commonly used by those skilled in the dataprocessing arts to convey the substance of their work effectively toothers skilled in the art. These operations, while describedfunctionally, computationally, or logically, are understood to beimplemented by computer programs or equivalent electrical circuits,microcode, or the like. Furthermore, it has also proven convenient attimes, to refer to these arrangements of operations as modules, withoutloss of generality. The described operations and their associatedmodules may be embodied in software, firmware, hardware, or anycombinations thereof.

Any of the steps, operations, or processes described herein may beperformed or implemented with one or more hardware or software modules,alone or in combination with other devices. In one embodiment, asoftware module is implemented with a computer program productcomprising a computer-readable medium containing computer program code,which can be executed by a computer processor for performing any or allof the steps, operations, or processes described.

Embodiments of the invention may also relate to an apparatus forperforming the operations herein. This apparatus may be speciallyconstructed for the required purposes, and/or it may comprise ageneral-purpose computing device selectively activated or reconfiguredby a computer program stored in the computer. Such a computer programmay be stored in a non-transitory, tangible computer readable storagemedium, or any type of media suitable for storing electronicinstructions, which may be coupled to a computer system bus.Furthermore, any computing systems referred to in the specification mayinclude a single processor or may be architectures employing multipleprocessor designs for increased computing capability.

Embodiments of the invention may also relate to a product that isproduced by a computing process described herein. Such a product maycomprise information resulting from a computing process, where theinformation is stored on a non-transitory, tangible computer readablestorage medium and may include any embodiment of a computer programproduct or other data combination described herein.

Finally, the language used in the specification has been principallyselected for readability and instructional purposes, and it may not havebeen selected to delineate or circumscribe the inventive subject matter.It is therefore intended that the scope of the invention be limited notby this detailed description, but rather by any claims that issue on anapplication based hereon. Accordingly, the disclosure of the embodimentsof the invention is intended to be illustrative, but not limiting, ofthe scope of the invention, which is set forth in the following claims.

The invention claimed is:
 1. A method for detecting malware comprising:detecting a plurality of events, each event associated with a processperforming an operation on a file having a particular predefinedcharacteristic; determining if each event of the plurality of eventsassociated with the process matches an entry in an exclusions list;responsive to determining that each event of the plurality of eventsassociated with the process is absent from the exclusions list, logginga plurality of event data describing the plurality of events associatedwith the process in an event log on a client device and sending theplurality of event data to a server; receiving, by the client device, anindication from the server of whether the process corresponds to malwarebased on whether the plurality of event data includes a pattern ofevents indicative of malware; and responsive to the received indicationindicating that the process does not correspond to malware: maintaining,by the client device, a count of logged events corresponding tohistorical operations by the process performed on files having theparticular predefined characteristic on the client device, andresponsive to the count exceeding a threshold, adding an entry to theexclusions list stored on the client device to exclude future operationsby the process on files having the particular predefined characteristic.2. The method of claim 1, wherein the exclusions list includes an entryexcluding events associated with a trusted process and determining ifeach event matches the entry in the exclusions list comprises:determining that an identifier of the process matches an identifier ofthe trusted process.
 3. The method of claim 1, wherein the exclusionslist includes an entry excluding events associated with a trustedprocess operating on a file having a first particular characteristic anddetermining if each event matches the entry in the exclusions listcomprises: determining that an identifier of the process matches anidentifier of the trusted process and that the operated-on file has thefirst particular file characteristic.
 4. The method of claim 3, whereinthe first particular file characteristic is one among a file type and afile directory.
 5. The method of claim 1, wherein updating theexclusions list is performed periodically after a first period of time,the method further comprising: logging additional event data describingadditional events in the event log occurring over a second period oftime greater than the first period of time; and purging the event dataoccurring over the second period of time that is greater in age than thefirst period of time from the event log.
 6. The method of claim 1comprising: detecting a second event associated with a second processperforming a second operation on a second file; determining if thesecond event associated with the second process matches an entry in theexclusions list; responsive to determining that the second eventassociated with the second process is absent from the exclusions list,logging second event data associated with the second process in theevent log on the client device and sending the second event data to theserver; receiving, by the client device, an indication from the serverof whether the second process corresponds to malware; and responsive tothe received indication indicating that the second process correspondsto malware, remediating the second process.
 7. A non-transitorycomputer-readable storage medium storing instructions for detectingmalware, the instructions when executed by a processor cause theprocessor to perform steps including: detecting a plurality of events,each event associated with a process performing an operation on a filehaving a particular predefined characteristic; determining if each eventof the plurality of events associated with the process matches an entryin an exclusions list; responsive to determining that each event of theplurality of events associated with the process is absent from theexclusions list, logging a plurality of event data describing theplurality of events associated with the process in an event log on aclient device and sending the plurality of event data to a server;receiving, by the client device, an indication from the server ofwhether the process corresponds to malware based on whether theplurality of event data includes a pattern of events indicative ofmalware; and responsive to the received indication indicating that theprocess does not correspond to malware: maintaining, by the clientdevice, a count of logged events corresponding to historical operationsby the process performed on files having the particular predefinedcharacteristic on the client device, and responsive to the countexceeding a threshold, adding an entry to the exclusions list stored onthe client device to exclude future operations by the process on fileshaving the particular predefined characteristic.
 8. The non-transitorycomputer-readable storage medium of claim 7, wherein the exclusions listincludes an entry excluding events associated with a trusted process anddetermining if each event matches the entry in the exclusions listcomprises: determining that an identifier of the process matches anidentifier of the trusted process.
 9. The non-transitorycomputer-readable storage medium of claim 7, wherein the exclusions listincludes an entry excluding events associated with a trusted processoperating on a file having a first particular characteristic anddetermining if each event matches the entry in the exclusions listcomprises: determining that an identifier of the process matches anidentifier of the trusted process and that the operated-on file has thefirst particular file characteristic.
 10. The non-transitorycomputer-readable storage medium of claim 9, wherein the firstparticular file characteristic is one among a file type and a filedirectory.
 11. The non-transitory computer-readable storage medium ofclaim 7, wherein updating the exclusions list is performed periodicallyafter a first period of time, the instructions further comprising:logging additional event data describing additional events in the eventlog occurring over a second period of time greater than the first periodof time; and purging the event data occurring over the second period oftime that is greater in age than the first period of time from the eventlog.
 12. The non-transitory computer-readable storage medium of claim 7,the instructions further including: detecting a second event associatedwith a second process performing a second operation on a second file;determining if the second event associated with the second processmatches an entry in the exclusions list; responsive to determining thatthe second event associated with the second process is absent from theexclusions list, logging second event data associated with the secondprocess in the event log on the client device and sending the secondevent data to the server; receiving, by the client device, an indicationfrom the server of whether the second process corresponds to malware;and responsive to receiving an indication that the second processcorresponds to malware, remediating the second process.
 13. A computingsystem comprising: a processor; and a non-transitory computer-readablestorage medium storing instructions for detecting malware, theinstructions when executed by the processor cause the processor toperform steps including: detecting a plurality of events, each eventassociated with a process performing an operation on a file having aparticular predefined characteristic; determining if each event of theplurality events associated with the process matches an entry in anexclusions list; responsive to determining that each event of theplurality events associated with the process is absent from theexclusions list, logging a plurality of event data describing theplurality of events associated with the process in an event log on aclient device and sending the plurality of event data to a server;receiving, by the client device, an indication from the server ofwhether the process corresponds to malware based on whether theplurality of event data includes a pattern of events indicative ofmalware; and responsive to the received indication indicating that theprocess does not correspond to malware: maintaining, by the clientdevice, a count of logged events corresponding to historical operationsby the process performed on files having the particular predefinedcharacteristic on the client device, and responsive to the countexceeding a threshold, adding an entry to the exclusions list stored onthe client device to exclude future operations by the process on fileshaving the particular predefined characteristic.
 14. The computingsystem of claim 13, wherein the exclusions list includes an entryexcluding events associated with a trusted process and determining ifeach event matches the entry in the exclusions list comprises:determining that an identifier of the process matches an identifier ofthe trusted process.
 15. The computing system of claim 13, wherein theexclusions list includes an entry excluding events associated with atrusted process operating on a file having a first particularcharacteristic and determining if each event matches the entry in theexclusions list comprises: determining that an identifier of the processmatches an identifier of the trusted process and that the operated-onfile has the first particular file characteristic.
 16. The computingsystem of claim 13, wherein updating the exclusions list is performedperiodically after a first period of time, the instructions furthercomprising: logging additional event data describing additional eventsin the event log occurring over a second period of time greater than thefirst period of time; and purging the event data occurring over thesecond period of time that is greater in age than the first period oftime from the event log.
 17. The computing system of claim 13, theinstructions further including: detecting a second event associated witha second process performing a second operation on a second file;determining if the second event associated with the second processmatches an entry in the exclusions list; responsive to determining thatthe second event associated with the second process is absent from theexclusions list, logging second event data associated with the secondprocess in the event log on the client device and sending the secondevent data to the server; receiving, by the client device, an indicationfrom the server of whether the second process corresponds to malware;and responsive to the received indication indicating that the secondprocess corresponds to malware, remediating the second process.